Patch Analysis for February 2010

Microsoft reports that they are not aware of any exploits as of the patch release date - at least the ones they have a patch for. We cannot rest though since the exploitability index states that 12 of the vulnerabilities have a rating of 1 (consistent code likely). The 13 bulletins released still don’t address everything such as the security advisory 980088 about a publicly disclosed vulnerability we got last week. So we may get another out-of-band patch for Windows Explorer.

MS10-003 offers a workaround that simply says “do not open files from an un-trusted source”. It’s just common sense but it cannot be relied upon in practice especially if someone you trust get’s infected with malware that sends you a file…

MS10-004 digging around a little indicates PowerPoint Viewer may also be affected. However, Microsoft indicates the patch is not being offered for a standalone installation of PowerPoint Viewer 2003, for example, since they no longer support it.

MS10-005 addresses a vulnerability in the way jpeg files are rendered by Microsoft Paint. Guidance is offered on how to disable or remove Paint. Doing so would reduce the attack surface if the program is not needed or wanted.

MS10-006 indicates multiple vulnerabilities with attack vectors from an SMB server or a man-in-the-middle attack on an internal network. An attack could cause remote code to run or cause a DNS. The workaround of using a firewall cannot address all vectors.

MS10-008 is a cumulative update for ActiveX controls.

MS10-010 is for those that use the Hyper-V on Server 2008; especially those that allow un-trusted users on guest machines. An exploit on the guest machine can bring the host system down.

One of the vulnerabilities on MS10-012 is publicly disclosed. Any machine that uses the SMB Server service is at risk. Risk is limited if network shares are not open.

MS10-013 illustrates how multimedia can make a server vulnerable, although best practice would preclude playing games or looking at videos on a server. I better stop playing pinball on that client’s huge DB server…

Domain Controllers that trust a non-Microsoft Windows domain are the ones vulnerable as mentioned in MS10-014.

In MS10-015 the workaround (prevent 16 bit applications) only addresses one of the two vulnerabilities.

Bulletin

Exploit Types/Technologies Affected

System Types Affected

Exploit details public? / Being exploited?

Comprehensive, practical workaround available?

MS severity rating

Products Affected

Notes

Randy's recommendation

MS10-012

971468

Arbitrary code

/ SMB Server

Servers

Yes/No

No

Important

Win2000 XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Restart Req'd

Patch after testing

MS10-009

974145

Arbitrary code Denial of service

/ Windows

Workstations Servers

No/No

No

Critical

Vista Server 2008

Restart Req'd

Patch after testing

MS10-004

975416

Arbitrary code

/ Office Powerpoint

Workstations Terminal Servers

No/No

No

Important

Office XP Office 2003 Office 2004 for Mac

Multiple vulnerabilities

Patch after testing; Update Powerpoint viewer

MS10-007

975713

Arbitrary code

/ Windows

Workstations Terminal Servers

No/No

No

Critical

Win2000 XP Server 2003

Restart Req'd

Patch after testing

MS10-015

977165

Privilege elevation

/ Windows

Workstations Terminal Servers

Yes/No

No

Important

Win2000 XP Vista Server 2003 Server 2008 Windows 7

Restart Req'd

Patch after testing

MS10-014

977290

Denial of service

/ Kerberos

Domain Controllers

No/No

No

Important

Server 2003 Server 2000 Server 2008

Restart Req'd

Patch after testing

MS10-010

977894

Denial of service

/ Hyper-V

Servers

No/No

No

Important

Server 2008 Server 2008 R2

Restart Req'd

Patch after testing

MS10-013

977935

Arbitrary code

/ DirectShow

Workstations Terminal Servers

No/No

No

Critical

Win2000 XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Restart Req'd

Patch after testing

MS10-011

978037

Privilege elevation

/ Windows

Workstations Terminal Servers

No/No

No

Important

Win2000 XP Server 2003

Restart may be req'd

Patch after testing

MS10-003

978214

Arbitrary code

/ Office

Workstations Terminal Servers

No/No

No

Important

Office XP Office 2004 for Mac

Patch after testing

MS10-006

978251

Arbitrary code Privilege elevation Denial of service

/ SMB Client

Workstations Servers

No/No

No

Critical

Win2000 XP Win2003 Vista Win2008 Windows 7 Win2008 R2

Restart Req'd

Patch after testing

MS10-008

978262

Arbitrary code

/ ActiveX

Workstations Terminal Servers

No/No

Yes

Critical

Win2000 XP Win2003 Vista Win2008 Windows 7 Win2008 R2

Cumulative Update

Set kill bits; patch after testing

MS10-005

978706

Arbitrary code

/ Microsoft Paint

Workstations Terminal Servers

No/No

Yes

Moderate

Win2000 XP Server 2003

Restart Req'd

Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime.

"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."